Linux

# ethtool eth0              # Show the ethernet status (replaces mii-diag)
# ethtool -s eth0 speed 100 duplex full # Force 100Mbit Full duplex
# ethtool -s eth0 autoneg off # Disable auto negotiation
# ethtool -p eth1           # Blink the ethernet led - very useful when supported
# ip link show              # Display all interfaces on Linux (similar to ifconfig)
 

# ip link set eth0 up       # Bring device up (or down). Same as "ifconfig eth0 up"
# ip addr show              # Display all IP addresses on Linux (similar to ifconfig)
# ip neigh show             # Similar to arp -a

Other OSes

# ifconfig fxp0             # Check the "media" field on FreeBSD
# arp -a                    # Check the router (or host) ARP entry (all OS)
 

# ping cb.vu                # The first thing to try...
# traceroute cb.vu          # Print the route path to destination
# ifconfig fxp0 media 100baseTX mediaopt full-duplex # 100Mbit full duplex (FreeBSD)
# netstat -s                # System-wide statistics for each network protocol

Additional commands which are not always installed per default but easy to find:

# arping 192.168.16.254     # Ping on ethernet layer
 

# tcptraceroute -f 5 cb.vu  # uses tcp instead of icmp to trace through firewalls

Routing

Print routing table

# route -n                  # Linux or use "ip route"
# netstat -rn               # Linux, BSD and UNIX
# route print               # Windows

Add and delete a route

FreeBSD

# route add 212.117.0.0/16 192.168.1.1
# route delete 212.117.0.0/16
# route add default 192.168.1.1

Add the route permanently in /etc/rc.conf

static_routes="myroute"
route_myroute="-net 212.117.0.0/16 192.168.1.1"

Linux

# route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.16.254
# ip route add 192.168.20.0/24 via 192.168.16.254       # same as above with ip route
# route add -net 192.168.20.0 netmask 255.255.255.0 dev eth0
# route add default gw 192.168.51.254
# ip route add default via 192.168.51.254 dev eth0      # same as above with ip route
# route delete -net 192.168.20.0 netmask 255.255.255.0

Solaris

# route add -net 192.168.20.0 -netmask 255.255.255.0 192.168.16.254
# route add default 192.168.51.254 1                    # 1 = hops to the next gateway
# route change default 192.168.50.254 1

Permanent entries are set in entry in /etc/defaultrouter.

Windows

# Route add 192.168.50.0 mask 255.255.255.0 192.168.51.253
# Route add 0.0.0.0 mask 0.0.0.0 192.168.51.254

Use add -p to make the route persistent.

Configure additional IP addresses

Linux

# ifconfig eth0 192.168.50.254 netmask 255.255.255.0       # First IP
# ifconfig eth0:0 192.168.51.254 netmask 255.255.255.0     # Second IP
# ip addr add 192.168.50.254/24 dev eth0                   # Equivalent ip commands
# ip addr add 192.168.51.254/24 dev eth0 label eth0:1

FreeBSD

# ifconfig fxp0 inet 192.168.50.254/24                     # First IP
# ifconfig fxp0 alias 192.168.51.254 netmask 255.255.255.0 # Second IP
# ifconfig fxp0 -alias 192.168.51.254                      # Remove second IP alias

Permanent entries in /etc/rc.conf

ifconfig_fxp0="inet 192.168.50.254  netmask 255.255.255.0"
ifconfig_fxp0_alias0="192.168.51.254 netmask 255.255.255.0"

Solaris

Check the settings with ifconfig -a

# ifconfig hme0 plumb                                      # Enable the network card
# ifconfig hme0 192.168.50.254 netmask 255.255.255.0 up    # First IP
# ifconfig hme0:1 192.168.51.254 netmask 255.255.255.0 up  # Second IP

Change MAC address

Normally you have to bring the interface down before the change. Don't tell me why you want to change the MAC address...

# ifconfig eth0 down
# ifconfig eth0 hw ether 00:01:02:03:04:05      # Linux
# ifconfig fxp0 link 00:01:02:03:04:05          # FreeBSD
# ifconfig hme0 ether 00:01:02:03:04:05         # Solaris
# sudo ifconfig en0 ether 00:01:02:03:04:05     # Mac OS X Tiger
# sudo ifconfig en0 lladdr 00:01:02:03:04:05    # Mac OS X Leopard

Many tools exist for Windows. For example etherchangehttp://ntsecurity.nu/toolbox/etherchange. Or look for "Mac Makeup", "smac".

Ports in use

Listening open ports:

# netstat -an | grep LISTEN
# lsof -i                  # Linux list all Internet connections
# socklist                 # Linux display list of open sockets
# sockstat -4              # FreeBSD application listing
# netstat -anp --udp --tcp | grep LISTEN        # Linux
# netstat -tup             # List active connections to/from system (Linux)
# netstat -tupl            # List listening ports from system (Linux)
# netstat -ano             # Windows

Firewall

Check if a firewall is running (typical configuration only):

Linux

# iptables -L -n -v                  # For status
Open the iptables firewall
# iptables -P INPUT       ACCEPT     # Open everything
# iptables -P FORWARD     ACCEPT
# iptables -P OUTPUT      ACCEPT
# iptables -Z                        # Zero the packet and byte counters in all chains
# iptables -F                        # Flush all chains
# iptables -X                        # Delete all chains

FreeBSD

# ipfw show                          # For status
# ipfw list 65535 # if answer is "65535 deny ip from any to any" the fw is disabled
# sysctl net.inet.ip.fw.enable=0     # Disable
# sysctl net.inet.ip.fw.enable=1     # Enable

IP Forward for routing

Linux

Check and then enable IP forward with:

# cat /proc/sys/net/ipv4/ip_forward  # Check IP forward 0=off, 1=on
# echo 1 > /proc/sys/net/ipv4/ip_forward

or edit /etc/sysctl.conf with:

net.ipv4.ip_forward = 1

FreeBSD

Check and enable with:

# sysctl net.inet.ip.forwarding      # Check IP forward 0=off, 1=on
# sysctl net.inet.ip.forwarding=1
# sysctl net.inet.ip.fastforwarding=1	# For dedicated router or firewall
Permanent with entry in /etc/rc.conf:
gateway_enable="YES"                 # Set to YES if this host will be a gateway.

Solaris

# ndd -set /dev/ip ip_forwarding 1   # Set IP forward 0=off, 1=on

NAT Network Address Translation

Linux

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE	# to activate NAT
# iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 --dport 20022 -j DNAT /
--to 192.168.16.44:22           # Port forward 20022 to internal IP port ssh
# iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 --dport 993:995 -j DNAT /
--to 192.168.16.254:993-995     # Port forward of range 993-995
# ip route flush cache
# iptables -L -t nat            # Check NAT status

Delete the port forward with -D instead of -A. The program netstat-nathttp://tweegy.nl/projects/netstat-nat is very useful to track connections (it uses /proc/net/ip_conntrack or /proc/net/nf_conntrack).

# netstat-nat -n                # show all connections with IPs

FreeBSD

# natd -s -m -u -dynamic -f /etc/natd.conf -n fxp0
Or edit /etc/rc.conf with:
firewall_enable="YES"           # Set to YES to enable firewall functionality
firewall_type="open"            # Firewall type (see /etc/rc.firewall)
natd_enable="YES"               # Enable natd (if firewall_enable == YES).
natd_interface="tun0"           # Public interface or IP address to use.
natd_flags="-s -m -u -dynamic -f /etc/natd.conf"

Port forward with:

# cat /etc/natd.conf 
same_ports yes
use_sockets yes
unregistered_only
# redirect_port tcp insideIP:2300-2399 3300-3399  # port range
redirect_port udp 192.168.51.103:7777 7777

DNS

On Unix the DNS entries are valid for all interfaces and are stored in /etc/resolv.conf. The domain to which the host belongs is also stored in this file. A minimal configuration is:

nameserver 78.31.70.238
search sleepyowl.net intern.lab
domain sleepyowl.net

Check the system domain name with:

# hostname -d                        # Same as dnsdomainname

Windows

On Windows the DNS are configured per interface. To display the configured DNS and to flush the DNS cache use:

# ipconfig /?                        # Display help
# ipconfig /all                      # See all information including DNS

Flush DNS

Flush the OS DNS cache, some application using their own cache (e.g. Firefox) and will be unaffected.

# /etc/init.d/nscd restart           # Restart nscd if used - Linux/BSD/Solaris
# lookupd -flushcache                # OS X Tiger
# dscacheutil -flushcache            # OS X Leopard and newer
# ipconfig /flushdns                 # Windows

Forward queries

Dig is you friend to test the DNS settings. For example the public DNS server 213.133.105.2 ns.second-ns.de can be used for testing. See from which server the client receives the answer (simplified answer).

# dig sleepyowl.net
sleepyowl.net.          600     IN      A       78.31.70.238
;; SERVER: 192.168.51.254#53(192.168.51.254)

The router 192.168.51.254 answered and the response is the A entry. Any entry can be queried and the DNS server can be selected with @:

# dig MX google.com
# dig @127.0.0.1 NS sun.com          # To test the local server
# dig @204.97.212.10 NS MX heise.de  # Query an external server
# dig AXFR @ns1.xname.org cb.vu      # Get the full zone (zone transfer)

The program host is also powerful.

# host -t MX cb.vu                   # Get the mail MX entry
# host -t NS -T sun.com              # Get the NS record over a TCP connection
# host -a sleepyowl.net              # Get everything

Reverse queries

Find the name belonging to an IP address (in-addr.arpa.). This can be done with dig, host and nslookup:

# dig -x 78.31.70.238
# host 78.31.70.238
# nslookup 78.31.70.238

/etc/hosts

Single hosts can be configured in the file /etc/hosts instead of running named locally to resolve the hostname queries. The format is simple, for example:

78.31.70.238   sleepyowl.net   sleepyowl

The priority between hosts and a dns query, that is the name resolution order, can be configured in /etc/nsswitch.conf AND /etc/host.conf. The file also exists on Windows, it is usually in:

C:/WINDOWS/SYSTEM32/DRIVERS/ETC

DHCP

Linux

Some distributions (SuSE) use dhcpcd as client. The default interface is eth0.

# dhcpcd -n eth0           # Trigger a renew (does not always work)
# dhcpcd -k eth0           # release and shutdown

The lease with the full information is stored in:

/var/lib/dhcpcd/dhcpcd-eth0.info

FreeBSD

FreeBSD (and Debian) uses dhclient. To configure an interface (for example bge0) run:

# dhclient bge0

The lease with the full information is stored in:

/var/db/dhclient.leases.bge0

Use

/etc/dhclient.conf

to prepend options or force different options:

# cat /etc/dhclient.conf
interface "rl0" {
    prepend domain-name-servers 127.0.0.1;
    default domain-name "sleepyowl.net";
    supersede domain-name "sleepyowl.net";
}

Windows

The dhcp lease can be renewed with ipconfig:

# ipconfig /renew          # renew all adapters
# ipconfig /renew LAN      # renew the adapter named "LAN"
# ipconfig /release WLAN   # release the adapter named "WLAN"

Yes it is a good idea to rename you adapter with simple names!

Traffic analysis

Bmonhttp://people.suug.ch/~tgr/bmon/ is a small console bandwidth monitor and can display the flow on different interfaces.

Sniff with tcpdump

# tcpdump -nl -i bge0 not port ssh and src /(192.168.16.121 or 192.168.16.54/)
# tcpdump -n -i eth1 net 192.168.16.121           # select to/from a single IP
# tcpdump -n -i eth1 net 192.168.16.0/24          # select traffic to/from a network
# tcpdump -l > dump && tail -f dump               # Buffered output
# tcpdump -i rl0 -w traffic.rl0                   # Write traffic headers in binary file
# tcpdump -i rl0 -s 0 -w traffic.rl0              # Write traffic + payload in binary file
# tcpdump -r traffic.rl0                          # Read from file (also for ethereal
# tcpdump port 80                                 # The two classic commands
# tcpdump host google.com
# tcpdump -i eth0 -X port /(110 or 143/)          # Check if pop or imap is secure
# tcpdump -n -i eth0 icmp                         # Only catch pings
# tcpdump -i eth0 -s 0 -A port 80 | grep GET      # -s 0 for full packet -A for ASCII

Additional important options:

• -A     Print each packets in clear text (without header)
• -X     Print packets in hex and ASCII
• -l     Make stdout line buffered
• -D     Print all interfaces available

On Windows use windump from www.winpcap.org. Use windump -D to list the interfaces.

Scan with nmap

Nmaphttp://insecure.org/nmap/ is a port scanner with OS detection, it is usually installed on most distributions and is also available for Windows. If you don't scan your servers, hackers do it for you...

# nmap cb.vu               # scans all reserved TCP ports on the host
# nmap -sP 192.168.16.0/24 # Find out which IP are used and by which host on 0/24
# nmap -sS -sV -O cb.vu    # Do a stealth SYN scan with version and OS detection
PORT      STATE  SERVICE             VERSION
22/tcp    open   ssh                 OpenSSH 3.8.1p1 FreeBSD-20060930 (protocol 2.0)
25/tcp    open   smtp                Sendmail smtpd 8.13.6/8.13.6
80/tcp    open   http                Apache httpd 2.0.59 ((FreeBSD) DAV/2 PHP/4.
[...]
Running: FreeBSD 5.X
Uptime 33.120 days (since Fri Aug 31 11:41:04 2007)

Other non standard but useful tools are hping (www.hping.org) an IP packet assembler/analyzer and fping (fping.sourceforge.net). fping can check multiple hosts in a round-robin fashion.

Traffic control (QoS)

Traffic control manages the queuing, policing, scheduling, and other traffic parameters for a network. The following examples are simple practical uses of the Linux and FreeBSD capabilities to better use the available bandwidth.

Limit upload

DSL or cable modems have a long queue to improve the upload throughput. However filling the queue with a fast device (e.g. ethernet) will dramatically decrease the interactivity. It is therefore useful to limit the device upload rate to match the physical capacity of the modem, this should greatly improve the interactivity. Set to about 90% of the modem maximal (cable) speed.

Linux

For a 512 Kbit upload modem.

# tc qdisc add dev eth0 root tbf rate 480kbit latency 50ms burst 1540
# tc -s qdisc ls dev eth0                         # Status
# tc qdisc del dev eth0 root                      # Delete the queue
# tc qdisc change dev eth0 root tbf rate 220kbit latency 50ms burst 1540

FreeBSD

FreeBSD uses the dummynet traffic shaper which is configured with ipfw. Pipes are used to set limits the bandwidth in units of [K|M]{bit/s|Byte/s}, 0 means unlimited bandwidth. Using the same pipe number will reconfigure it. For example limit the upload bandwidth to 500 Kbit.

# kldload dummynet                                # load the module if necessary
# ipfw pipe 1 config bw 500Kbit/s                 # create a pipe with limited bandwidth
# ipfw add pipe 1 ip from me to any               # divert the full upload into the pipe

Quality of service

Linux

Priority queuing with tc to optimize VoIP. See the full example on voip-info.org or www.howtoforge.com. Suppose VoIP uses udp on ports 10000:11024 and device eth0 (could also be ppp0 or so). The following commands define the QoS to three queues and force the VoIP traffic to queue 1 with QoS 0x1e (all bits set). The default traffic flows into queue 3 and QoS Minimize-Delay flows into queue 2.

# tc qdisc add dev eth0 root handle 1: prio priomap 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 0
# tc qdisc add dev eth0 parent 1:1 handle 10: sfq
# tc qdisc add dev eth0 parent 1:2 handle 20: sfq
# tc qdisc add dev eth0 parent 1:3 handle 30: sfq
# tc filter add dev eth0 protocol ip parent 1: prio 1 u32 /
  match ip dport 10000 0x3C00 flowid 1:1          # use server port range
  match ip dst 123.23.0.1 flowid 1:1              # or/and use server IP

Status and remove with

# tc -s qdisc ls dev eth0                         # queue status
# tc qdisc del dev eth0 root                      # delete all QoS

Calculate port range and mask

The tc filter defines the port range with port and mask which you have to calculate. Find the 2^N ending of the port range, deduce the range and convert to HEX. This is your mask. Example for 10000 -> 11024, the range is 1024.

# 2^13 (8192) < 10000 < 2^14 (16384)              # ending is 2^14 = 16384
# echo "obase=16;(2^14)-1024" | bc                # mask is 0x3C00

FreeBSD

The max link bandwidth is 500Kbit/s and we define 3 queues with priority 100:10:1 for VoIP:ssh:all the rest.

# ipfw pipe 1 config bw 500Kbit/s 
# ipfw queue 1 config pipe 1 weight 100
# ipfw queue 2 config pipe 1 weight 10
# ipfw queue 3 config pipe 1 weight 1
# ipfw add 10 queue 1 proto udp dst-port 10000-11024
# ipfw add 11 queue 1 proto udp dst-ip 123.23.0.1 # or/and use server IP
# ipfw add 20 queue 2 dsp-port ssh
# ipfw add 30 queue 3 from me to any              # all the rest

Status and remove with

# ipfw list                                       # rules status
# ipfw pipe list                                  # pipe status
# ipfw flush                                      # deletes all rules but default

NIS Debugging

Some commands which should work on a well configured NIS client:

# ypwhich                  # get the connected NIS server name
# domainname               # The NIS domain name as configured
# ypcat group              # should display the group from the NIS server
# cd /var/yp && make       # Rebuild the yp database
# rpcinfo -p servername    # Report RPC services of the server

Is ypbind running?

# ps auxww | grep ypbind
/usr/sbin/ypbind -s -m -S servername1,servername2	# FreeBSD
/usr/sbin/ypbind           # Linux
# yppoll passwd.byname
Map passwd.byname has order number 1190635041. Mon Sep 24 13:57:21 2007
The master server is servername.domain.net.

Linux

# cat /etc/yp.conf
ypserver servername
domain domain.net broadcast

Netcat

Netcathttp://netcat.sourceforge.net (nc) is better known as the "network Swiss Army Knife", it can manipulate, create or read/write TCP/IP connections. Here some useful examples, there are many more on the net, for example g-loaded.eu[...]http://www.g-loaded.eu/2006/11/06/netcat-a-couple-of-useful-examples and herehttp://www.terminally-incoherent.com/blog/2007/08/07/few-useful-netcat-tricks.
You might need to use the command netcat instead of nc. Also see the similar command socat.

File transfer

Copy a large folder over a raw tcp connection. The transfer is very quick (no protocol overhead) and you don't need to mess up with NFS or SMB or FTP or so, simply make the file available on the server, and get it from the client. Here 192.168.1.1 is the server IP address.

server# tar -cf - -C VIDEO_TS . | nc -l -p 4444         # Serve tar folder on port 4444
client# nc 192.168.1.1 4444 | tar xpf - -C VIDEO_TS     # Pull the file on port 4444
server# cat largefile | nc -l 5678                      # Server a single file
client# nc 192.168.1.1 5678 > largefile                 # Pull the single file
server# dd if=/dev/da0 | nc -l 4444                     # Server partition image
client# nc 192.168.1.1 4444 | dd of=/dev/da0            # Pull partition to clone
client# nc 192.168.1.1 4444 | dd of=da0.img             # Pull partition to file

Other hacks

Specially here, you must know what you are doing.

Remote shell

Option -e only on the Windows version? Or use nc 1.10.

# nc -lp 4444 -e /bin/bash                        # Provide a remote shell (server backdoor)
# nc -lp 4444 -e cmd.exe                          # remote shell for Windows

Emergency web server

Serve a single file on port 80 in a loop.

# while true; do nc -l -p 80 < unixtoolbox.xhtml; done

Chat

Alice and Bob can chat over a simple TCP socket. The text is transferred with the enter key.

alice# nc -lp 4444
bob  # nc 192.168.1.1 4444